# waylock: <https://codeberg.org/ifreund/waylock>
# also documented in berbiche NUR: <https://github.com/nix-community/nur-combined/blob/master/repos/berbiche/README.md>
{ config, lib, ... }:
let
  cfg = config.sane.programs.waylock;
in
{
  sane.programs.waylock = {
    sandbox.method = "capshonly";  # not even landlock with full access to / works.
    sandbox.wrapperType = "wrappedDerivation";
  };

  # without a /etc/pam.d/waylock entry, you may lock but you may never *unlock* ;-)
  security.pam.services = lib.mkIf cfg.enabled {
    waylock.unixAuth = true;
  };
}